Table of Contents
Fetching ...

WebSentinel: Detecting and Localizing Prompt Injection Attacks for Web Agents

Xilong Wang, Yinuo Liu, Zhun Wang, Dawn Song, Neil Gong

TL;DR

WebSentinel tackles prompt injection attacks on web agents by first extracting segments of interest from a webpage and then evaluating each segment within the page context using an analyzer LLM. The approach mitigates context-window and distraction issues via untargeted and targeted pruning and strengthens detection with a suite of alignment checks tailored to segment types. Empirical results show WebSentinel substantially outperforms baselines in both detection and localization across contaminated and clean webpages, with notable gains in accuracy and localization quality, and resilience against adaptive attacks. The work enables practical defense and forensic recovery by pinpointing contaminated regions for remediation.

Abstract

Prompt injection attacks manipulate webpage content to cause web agents to execute attacker-specified tasks instead of the user's intended ones. Existing methods for detecting and localizing such attacks achieve limited effectiveness, as their underlying assumptions often do not hold in the web-agent setting. In this work, we propose WebSentinel, a two-step approach for detecting and localizing prompt injection attacks in webpages. Given a webpage, Step I extracts \emph{segments of interest} that may be contaminated, and Step II evaluates each segment by checking its consistency with the webpage content as context. We show that WebSentinel is highly effective, substantially outperforming baseline methods across multiple datasets of both contaminated and clean webpages that we collected. Our code is available at: https://github.com/wxl-lxw/WebSentinel.

WebSentinel: Detecting and Localizing Prompt Injection Attacks for Web Agents

TL;DR

WebSentinel tackles prompt injection attacks on web agents by first extracting segments of interest from a webpage and then evaluating each segment within the page context using an analyzer LLM. The approach mitigates context-window and distraction issues via untargeted and targeted pruning and strengthens detection with a suite of alignment checks tailored to segment types. Empirical results show WebSentinel substantially outperforms baselines in both detection and localization across contaminated and clean webpages, with notable gains in accuracy and localization quality, and resilience against adaptive attacks. The work enables practical defense and forensic recovery by pinpointing contaminated regions for remediation.

Abstract

Prompt injection attacks manipulate webpage content to cause web agents to execute attacker-specified tasks instead of the user's intended ones. Existing methods for detecting and localizing such attacks achieve limited effectiveness, as their underlying assumptions often do not hold in the web-agent setting. In this work, we propose WebSentinel, a two-step approach for detecting and localizing prompt injection attacks in webpages. Given a webpage, Step I extracts \emph{segments of interest} that may be contaminated, and Step II evaluates each segment by checking its consistency with the webpage content as context. We show that WebSentinel is highly effective, substantially outperforming baseline methods across multiple datasets of both contaminated and clean webpages that we collected. Our code is available at: https://github.com/wxl-lxw/WebSentinel.
Paper Structure (10 sections, 5 figures, 15 tables)

This paper contains 10 sections, 5 figures, 15 tables.

Figures (5)

  • Figure 1: Overview of our WebSentinel.
  • Figure 2: System prompt for the extractor LLM in Step I.
  • Figure 3: System Prompt for the analyzer LLM in Step II.
  • Figure 4: System Prompt for the analyzer LLM in Step II (continued).
  • Figure 5: System Prompt for the analyzer LLM in Step II (continued, final).